Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

b6c37e3d6c...34.msi

windows7-x64

7

b6c37e3d6c...34.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6c37e3d6c1e61c71f42e005774cae3f722a3273a91d6e29d27e9f76ab4ab934.msi

  • Size

    1.8MB

  • MD5

    0d4245b805741f0d90e4a964971b0527

  • SHA1

    0828f6cbe30fc369eb62d9e992162870767489f5

  • SHA256

    b6c37e3d6c1e61c71f42e005774cae3f722a3273a91d6e29d27e9f76ab4ab934

  • SHA512

    be3c036f37be183201c4fadc3c1111b8ea0c2acf9d6f2eb1ce4e1dc4ffe4664ed91504e8fd83346257f10352f84cb701fb39057eb948fff038be3e3328e68371

  • SSDEEP

    24576:at9cpVDh1i+OG6gviWd2ZXY3kJh8b1sd7ptsn5t:tpRh1agVYtAkJSbCpyT

Score
10/10
metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Metastealer family
    metastealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b6c37e3d6c1e61c71f42e005774cae3f722a3273a91d6e29d27e9f76ab4ab934.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1016
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1887842D0BF30AE6E53F47EA446C79EE
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4416
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.med.unc.edu/webguide/wp-content/uploads/sites/419/2019/07/AdobePDF.pdf
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.med.unc.edu/webguide/wp-content/uploads/sites/419/2019/07/AdobePDF.pdf
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff92e1546f8,0x7ff92e154708,0x7ff92e154718
            5⤵
              PID:1768
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
              5⤵
                PID:64
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4936
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                5⤵
                  PID:2444
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                  5⤵
                    PID:4472
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                    5⤵
                      PID:3340
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
                      5⤵
                        PID:4256
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5072 /prefetch:6
                        5⤵
                          PID:460
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
                          5⤵
                            PID:1992
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                            5⤵
                              PID:208
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:8
                              5⤵
                                PID:1520
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5328
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
                                5⤵
                                  PID:5340
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
                                  5⤵
                                    PID:5348
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,304612009881748380,616418879194659904,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 /prefetch:2
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5572
                              • C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\files\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\files\setup.exe" /VERYSILENT /VERYSILENT
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1324
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5092
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Gathers system information
                                  PID:1592
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1256
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2032
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4848

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Persistence

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Privilege Escalation

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Defense Evasion

                              File and Directory Permissions Modification

                              1
                              T1222

                              System Binary Proxy Execution

                              1
                              T1218

                              Msiexec

                              1
                              T1218.007

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Peripheral Device Discovery

                              2
                              T1120

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              6
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                e443ee4336fcf13c698b8ab5f3c173d0

                                SHA1

                                9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                SHA256

                                79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                SHA512

                                cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                56a4f78e21616a6e19da57228569489b

                                SHA1

                                21bfabbfc294d5f2aa1da825c5590d760483bc76

                                SHA256

                                d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                SHA512

                                c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                e3e6aaaf901e5d3db602fdceca54cf2b

                                SHA1

                                45d093188b0cbe5db9cd2b5e0cd7f597e935f6b1

                                SHA256

                                0e60505569578fb452a7344a8c8351504e7a0c8b8afa8ae679ff679a6dad9d0f

                                SHA512

                                206f23882d45f2820e4fa85c374f9a092d16372e80b792f63f3244b61b865237a8e9092d38ad3831b95857dc794a88a2bc213e85e2e55fc25795cf7168fe0292

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                15818aca53a883bef9205a61f52ff9e6

                                SHA1

                                85cbf949b20b9841fefae2ce8f46d5d125cc6f48

                                SHA256

                                d9144907ac03331fbe775f16c0152dbd5be87c4bb8630efb09549a032f88a12b

                                SHA512

                                64e97cc00b375a69e5acbf860f7cb414e651036d56c245f04797ab9837244a47e4fbc13629f9840369665de9650a37a61e4b3be04e5c8b0055b42fb3eddc2ea1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                e4373d0b6f2df665237c49df5d44b7c7

                                SHA1

                                7b0ff69edd97fac63471294b63169138c71a9043

                                SHA256

                                8ed92f32f66e308279b848e048106c82e932fc93a66f4ac4f946e0637d91c2d1

                                SHA512

                                1513e9b305dcaca0d09e8b252bc572af5ff5e152d16eae0486bf89869128b385adf50ce7b8724595fee56242256ebf3b4567ce0a788023ca05e87c15b0c00c10

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\files.cab
                                Filesize

                                1.5MB

                                MD5

                                0eb1dab24d3da5ed8b7c5ea63f6ba5a5

                                SHA1

                                13384e702c3dd018d5e553676639167f6f351174

                                SHA256

                                d88f05a410a655e23d498bdfa307084f5d3771e29a51417aa5ce42044ef4fb56

                                SHA512

                                6c07aa50cc944ac3be3a74c0bb3aa57b57df3e15ba3bf2a74eb4a5d7d4e3a2d4b055b0c5dec51e174c164b75465824037d1230b9e4375f54c18da568e3f94680

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\msiwrapper.ini
                                Filesize

                                380B

                                MD5

                                4357b08e2629b023bf214690438af981

                                SHA1

                                d939dac493461baa82ec974a15c8485eba35c389

                                SHA256

                                fda9fae9d8fa80d5595fcf048a7f70a77b0f88823afa81009cb7ce852c0c7047

                                SHA512

                                395d3a7b1953fb09c3c2672514f66e03e6d20a751e8bc50e1721ed43f10c007f8bdee55cb6ecc5564a453f60570145884493c2c6620cc6408bd90b7bfc1fd34e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-00e0d39f-2233-495d-90d9-f540f915777c\msiwrapper.ini
                                Filesize

                                1KB

                                MD5

                                bc9a1ff766bfb873de09463009ac4601

                                SHA1

                                65c9f4641f89033a7138a09da5d7a103bd86b8f5

                                SHA256

                                06d05814d3c49603341d51712214c85f70aaedde1b84ec6d05c7d797bb1b8c16

                                SHA512

                                f65a7b7b0904ae3c59e9c98341f18520d295c72954b364319856f54fb60d0ad53ba3a652bbd6a1d8516799ca6222325f8ee29a4b8e83894931dfb51e9eebf770

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jis2pdri.z3v.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Windows\Installer\MSIE687.tmp
                                Filesize

                                208KB

                                MD5

                                0c8921bbcc37c6efd34faf44cf3b0cb5

                                SHA1

                                dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                SHA256

                                fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                SHA512

                                ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                24.1MB

                                MD5

                                cd115749558b40301bd43155aa1a6ac1

                                SHA1

                                c79fe96092a5fb8043cd67e5630c6d6f91887e6e

                                SHA256

                                25e0e958cd7d01a9d5168578d960bb42333b41192600dfb6cae44bc7ff71585f

                                SHA512

                                5be40c34e3d2da96f4c85c76b5b5fb0815880e8fa433482b4e935303dfc113a1d333468ebdf9a30bd93132c0a822f2139e755a3516113dfb69db151c2fdffd99

                                Download Submit

                              • \??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7674f832-e2f5-4f23-bb5f-95dc0bb3acd1}_OnDiskSnapshotProp
                                Filesize

                                6KB

                                MD5

                                328f2e3c13778f7d05faffd8f724dc50

                                SHA1

                                4a0b0791d4eac07694aa49bbfede20bbcc5e2290

                                SHA256

                                cff9b0aa576a80a61ceeb60bd9b7f0d2509a16120efa749b8727202752220a38

                                SHA512

                                ab8df0af3d9cd2b646a28243e186267225ae3857318742a3a59ef0e07f79fe6aef8fbcaf98aed49929e747780ffd2b1085ebe60b1837677cbd2eb3104edac1ca

                                Download Submit

                              • memory/1324-157-0x0000000010000000-0x0000000010731000-memory.dmp

                                Filesize

                                7.2MB

                                Download

                              • memory/5092-198-0x0000000006B10000-0x0000000006B42000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/5092-210-0x0000000006D50000-0x0000000006DF3000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/5092-181-0x0000000005530000-0x0000000005596000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/5092-164-0x0000000004CB0000-0x00000000052D8000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/5092-175-0x0000000005450000-0x00000000054B6000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/5092-186-0x00000000056A0000-0x00000000059F4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/5092-196-0x0000000005B50000-0x0000000005B6E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/5092-197-0x0000000005B90000-0x0000000005BDC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5092-199-0x000000006EAF0000-0x000000006EB3C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5092-163-0x0000000002230000-0x0000000002266000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/5092-209-0x0000000006130000-0x000000000614E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/5092-174-0x00000000052E0000-0x0000000005302000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/5092-211-0x00000000074C0000-0x0000000007B3A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/5092-212-0x0000000006E80000-0x0000000006E9A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/5092-213-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/5092-214-0x0000000007110000-0x00000000071A6000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/5092-215-0x0000000007080000-0x0000000007091000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/5092-216-0x00000000070B0000-0x00000000070BE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/5092-217-0x00000000070C0000-0x00000000070D4000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/5092-218-0x00000000071D0000-0x00000000071EA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/5092-219-0x0000000007100000-0x0000000007108000-memory.dmp

                                Filesize

                                32KB

                                Download